titan-iac/services/logging/oauth2-proxy.yaml

# services/logging/oauth2-proxy.yaml
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy-logs
  namespace: logging
  labels:
    app: oauth2-proxy-logs
spec:
  ports:
    - name: http
      port: 80
      targetPort: 4180
  selector:
    app: oauth2-proxy-logs

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy-logs
  namespace: logging
  labels:
    app: oauth2-proxy-logs
spec:
  replicas: 2
  selector:
    matchLabels:
      app: oauth2-proxy-logs
  template:
    metadata:
      labels:
        app: oauth2-proxy-logs
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "logging"
        vault.hashicorp.com/agent-inject-secret-oidc-env: "kv/data/atlas/logging/oauth2-proxy-logs-oidc"
        vault.hashicorp.com/agent-inject-template-oidc-env: |
          {{- with secret "kv/data/atlas/logging/oauth2-proxy-logs-oidc" -}}
          export OAUTH2_PROXY_CLIENT_ID="{{ .Data.data.client_id }}"
          export OAUTH2_PROXY_CLIENT_SECRET="{{ .Data.data.client_secret }}"
          export OAUTH2_PROXY_COOKIE_SECRET="{{ .Data.data.cookie_secret }}"
          {{- end -}}
    spec:
      serviceAccountName: logging-vault-sync
      imagePullSecrets:
        - name: harbor-regcred
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: hardware
                    operator: In
                    values:
                      - rpi5
                      - rpi4
      containers:
        - name: oauth2-proxy
          image: registry.bstein.dev/tools/oauth2-proxy-vault:v7.6.0
          imagePullPolicy: IfNotPresent
          command: ["/entrypoint.sh"]
          args:
            - /bin/oauth2-proxy
            - --provider=oidc
            - --redirect-url=https://logs.bstein.dev/oauth2/callback
            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
            - --scope=openid profile email
            - --email-domain=*
            - --code-challenge-method=S256
            - --set-xauthrequest=true
            - --pass-access-token=true
            - --set-authorization-header=true
            - --cookie-secure=true
            - --cookie-samesite=lax
            - --cookie-refresh=20m
            - --cookie-expire=168h
            - --insecure-oidc-allow-unverified-email=true
            - --upstream=http://opensearch-dashboards.logging.svc.cluster.local:5601
            - --http-address=0.0.0.0:4180
            - --skip-provider-button=true
            - --skip-jwt-bearer-tokens=true
            - --cookie-domain=logs.bstein.dev
          env:
            - name: VAULT_ENV_FILE
              value: /vault/secrets/oidc-env
          ports:
            - containerPort: 4180
              name: http
          readinessProbe:
            httpGet:
              path: /ping
              port: 4180
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /ping
              port: 4180
            initialDelaySeconds: 20
            periodSeconds: 20
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`# services/logging/oauth2-proxy.yaml`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`name: oauth2-proxy-logs`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`namespace: logging`
			`labels:`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`app: oauth2-proxy-logs`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`spec:`
			`ports:`
			`- name: http`
			`port: 80`
			`targetPort: 4180`
			`selector:`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`app: oauth2-proxy-logs`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00
			`---`

			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`name: oauth2-proxy-logs`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`namespace: logging`
			`labels:`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`app: oauth2-proxy-logs`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`spec:`
			`replicas: 2`
			`selector:`
			`matchLabels:`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`app: oauth2-proxy-logs`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`template:`
			`metadata:`
			`labels:`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`app: oauth2-proxy-logs`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/role: "logging"`
			`vault.hashicorp.com/agent-inject-secret-oidc-env: "kv/data/atlas/logging/oauth2-proxy-logs-oidc"`
			`vault.hashicorp.com/agent-inject-template-oidc-env: \|`
			`{{- with secret "kv/data/atlas/logging/oauth2-proxy-logs-oidc" -}}`
			`export OAUTH2_PROXY_CLIENT_ID="{{ .Data.data.client_id }}"`
			`export OAUTH2_PROXY_CLIENT_SECRET="{{ .Data.data.client_secret }}"`
			`export OAUTH2_PROXY_COOKIE_SECRET="{{ .Data.data.cookie_secret }}"`
			`{{- end -}}`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`spec:`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`serviceAccountName: logging-vault-sync`
			`imagePullSecrets:`
			`- name: harbor-regcred`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`nodeSelector:`
			`node-role.kubernetes.io/worker: "true"`
			`affinity:`
			`nodeAffinity:`
logging: fix oauth2 scope and pin loki to rpi 2026-01-09 07:12:40 -03:00			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`- key: hardware`
			`operator: In`
logging: fix oauth2 scope and pin loki to rpi 2026-01-09 07:12:40 -03:00			`values:`
			`- rpi5`
			`- rpi4`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`containers:`
			`- name: oauth2-proxy`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`image: registry.bstein.dev/tools/oauth2-proxy-vault:v7.6.0`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`imagePullPolicy: IfNotPresent`
vault: finalize sidecar migration 2026-01-15 01:52:24 -03:00			`command: ["/entrypoint.sh"]`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`args:`
vault: finalize sidecar migration 2026-01-15 01:52:24 -03:00			`- /bin/oauth2-proxy`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`- --provider=oidc`
			`- --redirect-url=https://logs.bstein.dev/oauth2/callback`
			`- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas`
logging: fix oauth2 scope and pin loki to rpi 2026-01-09 07:12:40 -03:00			`- --scope=openid profile email`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`- --email-domain=*`
logging: remove loki and backfill to opensearch 2026-01-09 18:08:39 -03:00			`- --code-challenge-method=S256`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`- --set-xauthrequest=true`
			`- --pass-access-token=true`
			`- --set-authorization-header=true`
			`- --cookie-secure=true`
			`- --cookie-samesite=lax`
			`- --cookie-refresh=20m`
			`- --cookie-expire=168h`
			`- --insecure-oidc-allow-unverified-email=true`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`- --upstream=http://opensearch-dashboards.logging.svc.cluster.local:5601`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`- --http-address=0.0.0.0:4180`
			`- --skip-provider-button=true`
			`- --skip-jwt-bearer-tokens=true`
			`- --cookie-domain=logs.bstein.dev`
			`env:`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`- name: VAULT_ENV_FILE`
			`value: /vault/secrets/oidc-env`
logging: add loki and fluent-bit 2026-01-08 22:31:45 -03:00			`ports:`
			`- containerPort: 4180`
			`name: http`
			`readinessProbe:`
			`httpGet:`
			`path: /ping`
			`port: 4180`
			`initialDelaySeconds: 5`
			`periodSeconds: 10`
			`livenessProbe:`
			`httpGet:`
			`path: /ping`
			`port: 4180`
			`initialDelaySeconds: 20`
			`periodSeconds: 20`